SonicWall investigates possible zero-day amid Akira ransomware surge
August 05, 2025 
SonicWall probes possible new zero-day after spike in Akira ransomware attacks on Gen 7 firewalls with SSLVPN enabled.
SonicWall is investigating a potential new zero-day after a surge in Akira ransomware attacks targeting Gen 7 firewalls with SSLVPN enabled. The company is working to determine if the incidents stem from an existing flaw or a newly discovered vulnerability.
“Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled.” reads the statement published by the vendor. This includes threat activity highlighted by third-party cybersecurity research teams such as:
- Arctic Wolf
- Google Mandiant
- Huntress
We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible.”
SonicWall is actively investigating, collaborating with external threat researchers, and keeping partners and customers informed. The vendor announced it will release fixes if a new vulnerability is confirmed.
Arctic Wolf Labs researchers recently reported that Akira ransomware is exploiting SonicWall SSL VPNs in a likely zero-day attack, targeting even fully patched devices. Arctic Wolf Labs observed multiple intrusions via VPN access in late July 2025. Evidence suggests a likely zero-day in SonicWall VPNs, as fully patched devices with MFA and rotated credentials were still compromised in some attacks.
“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability.” reads the report published by Arctic Wolf Labs. “In some instances, fully patched SonicWall devices were affected following credential rotation. Despite TOTP MFA being enabled, accounts were still compromised in some instances.”
Ransomware activity targeting SonicWall SSL VPNs surged from July 15, 2025, with similar cases dating back to October 2024. Attackers often used VPS hosting for VPN logins, unlike legitimate access from ISPs. Arctic Wolf observed short delays between access and encryption and is applying its own recommended defenses internally.
“In contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments.” continutes the report.
The researchers recommend that organizations consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.
SonicWall advises enabling security services like Botnet Protection, enforcing MFA for all remote access, and removing unused firewall accounts. The experts recommend regular password updates. To limit exposure to malicious VPN logins, organizations should consider blocking VPN authentication from hosting-related ASNs, though full blocking could disrupt operations. These steps help improve security but may not fully prevent the described threat.
SonicWall urges Gen 7 firewall users to immediately apply key mitigations amid an ongoing investigation. Recommended actions include disabling SSLVPN where possible, restricting access to trusted IPs, enabling security services like Botnet Protection and Geo-IP Filtering, enforcing MFA (though it may not fully prevent the threat), removing unused accounts, especially those with SSLVPN access, and maintaining strong password practices. These steps aim to reduce risk while SonicWall continues its investigation.
The Akira ransomware has been active since March 2023, the threat actors behind the malware hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SonicWall)
